Toward a Framework for Internet Forensic Analysis

The world of network security is an arms race where attackers constantly change the signatures of their attacks to avoid detection. Aiding the white-hats in this race is one fundamental invariant across all network attacks (present and future): for the attack to progress there must be communication among attacker, the associated set of compromised hosts and the victim(s), and this communication is visible to the network. We argue that the Internet architecture should be extended to include auditing mechanisms that enable the forensic analysis of network data, with a goal of identifying the true originator of each attack — even if the attacker recruits innocent hosts as zombies or stepping stones to propagate the attack. In this paper we outline an approach to the problem of Attacker Identification and Attack Reconstruction, describe the challenges involved, and explain our efforts that show the promise of this approach.